thorn jasper
On the doc page https://docs.openclaw.ai/tools/multi-agent-sandbox-tools example 2b it demonstrates setting an explicit profile in agents.list[].tools and another explicit tool allow and shows that the allows are additive. But in my experience, plus a separate doc page, it seems to indicate that if agents.list[].tools is non-empty, all tools are denied.
What is the best convention for explicitly allowing additional tools after a tool profile for an agent?
full doveBOT
upbeat riverBOT
Let me verify the docs source first, then I’ll answer from the actual text/code instead of guessing.
I found the important bit: there’s a newer alsoAllow field in config/schema, and that’s the additive one. I’m checking the implementation now so I don’t misstate behavior.
Short version: use profile + alsoAllow.
near saffron{
agents: {
list: [
{
id: "support",
tools: {
profile: "messaging",
alsoAllow: ["slack"]
}
}
]
}
}
Current behavior is:
profile = base baselinealsoAllow = additive on top of that baselineallow = restrictive allowlist mode, not additivedeny still winsSo if agents.list[].tools.allow is non-empty, everything else is treated as blocked at that scope. That means the example using profile + allow as if it were additive is misleading for current behavior.
One more important bit: you cannot set allow and alsoAllow together in the same scope.
So the best convention is:
profile for the baselinealsoAllow for a few extra toolsallow only when you want a fully explicit allow-only listI checked the current docs/schema/source for this. Relevant docs:
If alsoAllow is missing in your installed version, then I’d upgrade, or enumerate the full tool set in allow. Glad you caught that, the doc example really does look stale.